Privacy Policy

v1.0

Effective: 4/22/2026

1. Data Controller

Von Gstaad is operated by M.H. Kaaniche ("the Operator"). For data-related enquiries: privacy@vongstaad.com.

2. Data We Collect

We collect: (a) Email address — provided voluntarily when requesting access or subscribing; (b) Role and use case — provided voluntarily at registration; (c) API usage metadata — request timestamps, endpoint called, response codes (no content logged); (d) Technical signals for abuse prevention — IP address hashed with a rotating daily salt (non-reversible), submission timing; (e) Payment data — handled entirely by Paddle; we receive only subscription status and tier.

3. How We Use Your Data

Email: to send confirmation, access credentials, anomaly alerts, and service communications. We do not send marketing email. Role and use case: to evaluate early access requests and understand our user base. API metadata: to enforce rate limits, detect abuse, and maintain service integrity. Technical signals: to prevent automated abuse of the access form.

4. Data Storage and Security

Email addresses are encrypted at the application layer (AES-256-GCM) before storage. IP data is irreversibly hashed and cannot be attributed to an individual. Data is stored on Neon PostgreSQL infrastructure. Access is restricted to the service account used by the API. No raw email addresses are written to application logs at any time.

5. Third-Party Processors

Von Gstaad uses the following processors: Paddle.com Market Limited (payment processing, acts as Merchant of Record); Neon Inc. (PostgreSQL database hosting); Cloudflare Inc. (DNS, CDN, DDoS protection, serverless compute, CAPTCHA); Resend Inc. (transactional email delivery); GitHub Inc. (source code hosting and CI/CD pipeline). Each processor is bound by their own data processing terms.

6. Data Retention

Access request data is retained until the earlier of: user deletion request, or 6 months following product sunset. Active subscriber data is retained for the duration of the subscription plus 12 months for legal and accounting purposes. API usage metadata is retained for 90 days on a rolling basis.

7. Your Rights

You have the right to: access the data we hold about you; correct inaccurate data; request deletion of your data (right to be forgotten); withdraw consent for communications. To exercise any right, email privacy@vongstaad.com or use the revocation link provided in any email from Von Gstaad. Deletion requests are processed within 30 days.

8. Cookies

Von Gstaad does not use tracking cookies or advertising cookies. We may use a single session cookie strictly necessary for authenticated dashboard access (v2 onwards). No third-party analytics scripts are loaded on any page.

9. Changes to This Policy

Material changes to this policy will be communicated by email to registered users with 14 days notice. The version number and effective date above will be updated. Continued use of the Service constitutes acceptance.

Questions? Contact: legal@vongstaad.com